Chainalysis assisted DOJ in takedown of NetWalker ransomware

The blockchain analysis company provided investigative tools to help the DOJ track down ransomware funds

Yesterday, the US Department of Justice (DOJ) announced the seizure of almost half a million dollars in cryptocurrency as part of a coordinated international effort to disrupt NetWalker, a sophisticated form of ransomware. NetWalker actors spread the ransomware around the computer network of an organisation before sending a ransom demand and instructions for payment. During the pandemic, attacks have specifically targeted the healthcare sector.

Blockchain analysis company Chainalysis revealed on their blog yesterday that their investigative tools had been used to help track down the ransomware funds. Their data showed that nearly $350 million worth of cryptocurrencies was paid by ransomware victims in 2020, a 311% increase from the previous year.

Total Cryptocurrency value received by ransomware addresses oper year, 2016-2020. Source: Chainalysis

One factor in the rise of attacks is the appearance of the Ransomware as a Service (RaaS) model which is employed by many strains of ransomware including NetWalker. This model features developers who rent out the usage of their ransomware to attackers known as affiliates, with the ransom being split between them.

Chainalysis also shared data indicating that NetWalker was among the top 10 ransomware strains by revenue this year, and has generated more than $46 million since its emergence in August 2019. Blockchain analysis additionally revealed that NetWalker actors used cryptocurrency to pay for cloud storage hosting, probably to store stolen victim data for further extortion. At least 305 victims from 27 different countries have been affected, including 203 from the US.

As well as disabling a dark web resource used to communicate with NetWalker victims and seizing around $454,530.19 in cryptocurrency from ransom payments, the DOJ also announced they had charged Sebastien Vachon-Desjardins, a Canadian national, in the Middle District of Florida with intentional damage to a protected computer and transmitting a demand in relation to it.

Vachon-Desjardins was allegedly involved in at least 91 NetWalker attacks since April 2020 and is associated with at least 345 blockchain addresses. This allowed him to receive more than $14 million in Bitcoin, which is worth at least $27.6 million in today’s value.

The US Attorney for the Middle District of Florida, Maria Chapa Lopez, commented, “This action reflects the resolve of the US Attorney’s Office for the Middle District of Florida to target and disrupt sophisticated, international cybercrime schemes. While these individuals believe they operate anonymously in the digital space, we have the skill and tenacity to identify and prosecute these actors to the full extent of the law and seize their criminal proceeds”.